Still reeling from Heartbleed, OpenSSL suffers from crypto bypass flaw

Bug in crypto library strips away one of the Internet's most crucial protections.

A researcher has uncovered another severe vulnerability in the OpenSSL cryptographic library. It allows attackers to decrypt and modify Web, e-mail, and virtual private network traffic protected by the transport layer security (TLS) protocol, the Internet's most widely used method for encrypting traffic traveling between end users and servers.

The TLS bypass exploits work only when traffic is sent or received by a server running OpenSSL 1.0.1 and 1.0.2-beta1, maintainers of the open-source library warned in an advisory published Thursday. The advisory went on to say that servers running a version earlier than 1.0.1 should update as a precaution. The vulnerability has existed since the first release of OpenSSL, some 16 years ago. Library updates are available on the front page of the OpenSSL website. People who administer servers running OpenSSL should update as soon as possible.

The underlying vulnerability, formally cataloged as CVE-2014-0224, resides in the ChangeCipherSpec processing, according to an overview published Thursday by Lepidum, the software developer that discovered the flaw and reported it privately to OpenSSL. It makes it possible for attackers who can monitor a connection between an end user and server to force weak cryptographic keys on client devices. Attackers can then exploit those keys to decrypt the traffic or even modify the data before sending it to its intended destination.

"OpenSSL's ChangeCipherSpec processing has a serious vulnerability," the Lepidum advisory stated. "This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with the exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPN, when the software uses the affected version of OpenSSL."

Client devices are vulnerable no matter what older version of OpenSSL they are running. As stated earlier, servers are vulnerable when running 1.0.1 and 1.0.2-bata1, according to an accompanying OpenSSL advisory. The attacks are possible only when both sides are running a vulnerable OpenSSL version.

Further Reading

While serious, the latest OpenSSL flaw isn't as severe as the Heartbleed vulnerability that was disclosed eight weeks ago. That's because attacks exploiting the new vulnerability are harder to carry out and are generally less damaging. Whereas Heartbleed allowed anyone to send malicious packets that would force a vulnerable machine to divulge passwords, cryptographic keys, and other highly sensitive data, the latest attacks can only bypass encryption for a single targeted connection. And they can only be executed by people with some degree of control over the connection. Without doubt, that's serious, but not the catastrophe visited by Heartbleed.

"The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected," Adam Langley, a widely respected cryptographer and software engineer who works for Google, wrote in a technical analysis. "None the less, all OpenSSL users should be updating."

Separately, the OpenSSL advisory said that Thursday's updates fixed several other vulnerabilities that allowed attackers to remotely execute malicious code on servers or end user machines and crash devices. The most serious among them is a memory-corruption vulnerability in the OpenSSL implementation of the datagram transport layer security (DTLS) component and is cataloged as CVE-2014-0195. It was introduced by the same developer responsible for the Heartbleed bug. In addition to the previous previous link, Hewlett-Packard's Zero Day Initiative group has a separate blog post about the vulnerability here. A separate blog post from Symantec sheds additional light.